security/landlock/net.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Landlock LSM - Network management and hooks
   4  *
   5  * Copyright © 2022-2023 Huawei Tech. Co., Ltd.
   6  * Copyright © 2022-2023 Microsoft Corporation
   7  */
   8
   9 #include <linux/in.h>
  10 #include <linux/net.h>
  11 #include <linux/socket.h>
  12 #include <net/ipv6.h>
  13
  14 #include "common.h"
  15 #include "cred.h"
  16 #include "limits.h"
  17 #include "net.h"
  18 #include "ruleset.h"
  19
  20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
  21                              const u16 port, access_mask_t access_rights)
  22 {
  23         int err;
  24         const struct landlock_id id = {
  25                 .key.data = (__force uintptr_t)htons(port),
  26                 .type = LANDLOCK_KEY_NET_PORT,
  27         };
  28
  29         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
  30
  31         /* Transforms relative access rights to absolute ones. */
  32         access_rights |= LANDLOCK_MASK_ACCESS_NET &
  33                          ~landlock_get_net_access_mask(ruleset, 0);
  34
  35         mutex_lock(&ruleset->lock);
  36         err = landlock_insert_rule(ruleset, id, access_rights);
  37         mutex_unlock(&ruleset->lock);
  38
  39         return err;
  40 }
  41
  42 static access_mask_t
  43 get_raw_handled_net_accesses(const struct landlock_ruleset *const domain)
  44 {
  45         access_mask_t access_dom = 0;
  46         size_t layer_level;
  47
  48         for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
  49                 access_dom |= landlock_get_net_access_mask(domain, layer_level);
  50         return access_dom;
  51 }
  52
  53 static const struct landlock_ruleset *get_current_net_domain(void)
  54 {
  55         const struct landlock_ruleset *const dom =
  56                 landlock_get_current_domain();
  57
  58         if (!dom || !get_raw_handled_net_accesses(dom))
  59                 return NULL;
  60
  61         return dom;
  62 }
  63
  64 static int current_check_access_socket(struct socket *const sock,
  65                                        struct sockaddr *const address,
  66                                        const int addrlen,
  67                                        const access_mask_t access_request)
  68 {
  69         __be16 port;
  70         layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
  71         const struct landlock_rule *rule;
  72         access_mask_t handled_access;
  73         struct landlock_id id = {
  74                 .type = LANDLOCK_KEY_NET_PORT,
  75         };
  76         const struct landlock_ruleset *const dom = get_current_net_domain();
  77
  78         if (!dom)
  79                 return 0;
  80         if (WARN_ON_ONCE(dom->num_layers < 1))
  81                 return -EACCES;
  82
  83         /* Checks if it's a (potential) TCP socket. */
  84         if (sock->type != SOCK_STREAM)
  85                 return 0;
  86
  87         /* Checks for minimal header length to safely read sa_family. */
  88         if (addrlen < offsetofend(typeof(*address), sa_family))
  89                 return -EINVAL;
  90
  91         switch (address->sa_family) {
  92         case AF_UNSPEC:
  93         case AF_INET:
  94                 if (addrlen < sizeof(struct sockaddr_in))
  95                         return -EINVAL;
  96                 port = ((struct sockaddr_in *)address)->sin_port;
  97                 break;
  98
  99 #if IS_ENABLED(CONFIG_IPV6)
 100         case AF_INET6:
 101                 if (addrlen < SIN6_LEN_RFC2133)
 102                         return -EINVAL;
 103                 port = ((struct sockaddr_in6 *)address)->sin6_port;
 104                 break;
 105 #endif /* IS_ENABLED(CONFIG_IPV6) */
 106
 107         default:
 108                 return 0;
 109         }
 110
 111         /* Specific AF_UNSPEC handling. */
 112         if (address->sa_family == AF_UNSPEC) {
 113                 /*
 114                  * Connecting to an address with AF_UNSPEC dissolves the TCP
 115                  * association, which have the same effect as closing the
 116                  * connection while retaining the socket object (i.e., the file
 117                  * descriptor).  As for dropping privileges, closing
 118                  * connections is always allowed.
 119                  *
 120                  * For a TCP access control system, this request is legitimate.
 121                  * Let the network stack handle potential inconsistencies and
 122                  * return -EINVAL if needed.
 123                  */
 124                 if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
 125                         return 0;
 126
 127                 /*
 128                  * For compatibility reason, accept AF_UNSPEC for bind
 129                  * accesses (mapped to AF_INET) only if the address is
 130                  * INADDR_ANY (cf. __inet_bind).  Checking the address is
 131                  * required to not wrongfully return -EACCES instead of
 132                  * -EAFNOSUPPORT.
 133                  *
 134                  * We could return 0 and let the network stack handle these
 135                  * checks, but it is safer to return a proper error and test
 136                  * consistency thanks to kselftest.
 137                  */
 138                 if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
 139                         /* addrlen has already been checked for AF_UNSPEC. */
 140                         const struct sockaddr_in *const sockaddr =
 141                                 (struct sockaddr_in *)address;
 142
 143                         if (sock->sk->__sk_common.skc_family != AF_INET)
 144                                 return -EINVAL;
 145
 146                         if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
 147                                 return -EAFNOSUPPORT;
 148                 }
 149         } else {
 150                 /*
 151                  * Checks sa_family consistency to not wrongfully return
 152                  * -EACCES instead of -EINVAL.  Valid sa_family changes are
 153                  * only (from AF_INET or AF_INET6) to AF_UNSPEC.
 154                  *
 155                  * We could return 0 and let the network stack handle this
 156                  * check, but it is safer to return a proper error and test
 157                  * consistency thanks to kselftest.
 158                  */
 159                 if (address->sa_family != sock->sk->__sk_common.skc_family)
 160                         return -EINVAL;
 161         }
 162
 163         id.key.data = (__force uintptr_t)port;
 164         BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
 165
 166         rule = landlock_find_rule(dom, id);
 167         handled_access = landlock_init_layer_masks(
 168                 dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
 169         if (landlock_unmask_layers(rule, handled_access, &layer_masks,
 170                                    ARRAY_SIZE(layer_masks)))
 171                 return 0;
 172
 173         return -EACCES;
 174 }
 175
 176 static int hook_socket_bind(struct socket *const sock,
 177                             struct sockaddr *const address, const int addrlen)
 178 {
 179         return current_check_access_socket(sock, address, addrlen,
 180                                            LANDLOCK_ACCESS_NET_BIND_TCP);
 181 }
 182
 183 static int hook_socket_connect(struct socket *const sock,
 184                                struct sockaddr *const address,
 185                                const int addrlen)
 186 {
 187         return current_check_access_socket(sock, address, addrlen,
 188                                            LANDLOCK_ACCESS_NET_CONNECT_TCP);
 189 }
 190
 191 static struct security_hook_list landlock_hooks[] __ro_after_init = {
 192         LSM_HOOK_INIT(socket_bind, hook_socket_bind),
 193         LSM_HOOK_INIT(socket_connect, hook_socket_connect),
 194 };
 195
 196 __init void landlock_add_net_hooks(void)
 197 {
 198         security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
 199                            &landlock_lsmid);
 200 }